Every day, most of us leave behind traces on the Internet, including disparate pieces of data that can later be used to learn about a person's activities and break through the veil of anonymity, writes CSO. The fight to prevent attackers from putting these pieces of the puzzle together is known as operational security (opsec).
Most of us don't think too much about all this: no one is trying to track us down, and if they did, the consequences wouldn't be too alarming. But there are those for whom the stakes are much higher. Would it be so bad if someone found out in your anonymous social media accounts the name of one of your big work projects or the topic of your thesis? Maybe if you were the director of the FBI. Does it matter if the selfies you upload to social media have location data embedded in them, or does your fitness tracker send anonymous data about your running route to its manufacturer? Maybe if you're a soldier on a secret military base or in a country where your government swears it didn't send troops.
Hackers and cybercriminals - both freelance and state-sponsored-typically exploit any glitches in opsec made by potential victims. This is why it is perhaps surprising that these attackers often fail to cover their own tracks on the network, whether due to arrogance, incompetence, or a combination of the two. You can think of these incidents as moral games in which the bad guys get retribution, but perhaps it's better to think of them as cautionary tales: you may not be spying for the Chinese government or running an online drug market, but you may fall into a trap. the same mistakes that these cybercriminals make are at your peril.
All roads lead to Dread Pirate Roberts
For several years in the early 2010s, Silk Road was a source of fascination for both computer security researchers and law enforcement agencies. An underground marketplace where users could exchange cryptocurrencies for drugs, weapons, and other illegal goods and services brought the idea of the darknet, as well as knowledge about Tor and Bitcoin, to the minds of ordinary people. It really seemed to herald a future in which anonymous online transactions would make the world more dangerous or exciting.
There was only one catch: it was less anonymous than it might seem. The founder and administrator of Silk Road, known as Dread Pirate Roberts, was soon identified as a resident of Texas in the United States named Ross Ulbricht, he was arrested - not because his anonymization technology did not work, but because, as it turned out, he voluntarily left his data on the Internet.
In 2011, a user with the ID altoid posted on a bitcoin forum about a new hidden service, which he called "anonymous amazon.com", with a link to the site at silkroad420.wordpress.com. A few months later, the same user wrote that he wanted to hire "an IT professional in the bitcoin community," and encouraged candidates to write to [email protected]. That Gmail address, in turn, was linked to a Google+ account that hosted content about Austrian economic theory, a set of libertarian ideas that was also the subject of posts on Silk Road by user Dread Pirate Roberts.
In early 2012, a StackOverflow user named Ross Ulbricht posted a request for help connecting to Tor using PHP, a technique that turned out to be ultimately used by Silk Road. Ulbricht changed this username less than a minute after posting the request, but the original one remained on the StackOverflow servers. Ulbricht was tracked down and arrested in late 2013, and is currently serving a life sentence in prison.
Trading platforms for bad ideas
Given that Ulbricht was a pioneer in the darknet market, as well as a prime example of opsec, you might think that subsequent merchants on the darknet took the hint of his fate and corrected their own actions. But some seemed determined to repeat his mistakes.
For example, in 2017, the US and Dutch authorities closed AlphaBay, another dark Web drug market, and arrested Alexander Kazes, its head. Law enforcement officials noted that the emails that AlphaBay users received when registering or resetting their password contained an email address in the headers. [email protected] (It is unclear which part of this email should have been more embarrassing for the alleged criminal mastermind," Pimp_Alex_91 "or " Pimp_Alex_91"). hotmail.com".) This email was related to some 2008 posts on an online technical forum that were sent by user Alpha02 (also the username of the AlphaBay administrator; reused usernames are a frequent glitch in opsec) and the real name Cazes.
Some individual sellers on AlphaBay were confused by similar errors. For example, Emil Babadzhov sold drugs on a website with an account linked to an email address [email protected] this led the FBI to a Coinbase account and Facebook profile with the cleverly inverted name "Lime Voidabab." Jose Robert Porras, meanwhile, was much more circumspect, but he made the mistake of posting a picture of his hand holding banned substances on his AlphaBay page. The quality of the photos was high enough for the police to see his fingerprints and match them with the prints they had.
Spies: like us?
Perhaps unsurprisingly, online drug dealers are not the most circumspect people in their behavior. But you'd think that state-sponsored hackers-presumably recruited for their cybersecurity skills and all too familiar with their victims ' opsec failures-would be less likely to make mistakes when it comes to their own identity. However, a number of recent high-profile examples have shown that this is not the case.
Take, for example, the Chinese military hacking group, quite intimidating, referred to in the US as APT1 (which means "advanced persistent threat"). Despite their reputation, this group made some of the same mistakes that we saw in our dark web examples, such as reusing user names on websites.
One of the APT1 members actually signed the source code he wrote for the group's hacking tools under the pseudonym "Ugly Gorilla". This handle, in turn, could have been associated with programming messages that were related to his real name, Wang Dong. Some of these sites themselves suffered from data leaks, with user information being published on the dark web, which allowed American researchers to connect Wang to a specific IP address, which, as it turned out, also used APT1.
In general, the group used predictable naming conventions for its users, code, and even passwords. Another way they were so consistent that they screwed up on their own: their work hours. Most of the time-related activity with the group took place during business hours in the Chinese capital, Beijing. This not only indicated their location, but also indicated that they were professionals, not activists or enthusiasts doing hacking in their spare time.
Giving away the Kingdom
APT1 noted that one of the ways to exploit opsec holes is to track the IP addresses of servers associated with the monitored group. This can tell the target a lot, and if you're lucky, you can conduct a small counter-hack when there's a piece of hacker infrastructure in sight.
This was the case in two recent counterintelligence scenarios. One of them involved the Iranian-backed hacker group APT35, also known as Charming Kitten. The group stored gigabytes of data that was extracted from US and Greek military systems on a cloud server, but the security settings for that server were not properly configured, so when security researchers tracked them down, they were able to find all sorts of files. Probably none of them was more important for understanding the motives and capabilities of APT35 than a series of screen recordings showing that members of the group were engaged in hacking activities. These appear to be demo videos, possibly for educational purposes, to show new members how the group works.
Meanwhile, another group identified by the researchers as a "state actor", although the state in question was not named, was discovered by communicating with the command and control server for a new piece of malware. Again, a good opsec will require any such server to be securely locked down and not contain any data that can be identified or traced.
This group obviously didn't feel the need for such hygiene. Data was stored on the server, including an extensive set of WhatsApp messages in which members of the group discussed how best to use their state - allocated budget-whether they should create their own malware that could exfiltrate data from Android or iOS devices or buy it.
They eventually decided to develop the malware in-house - and, using a delightfully self-contained twist, tested it on one of their phones, extracting WhatsApp messaging data in which they discussed malware development. This is a warning to IT professionals around the world that you can be smart enough to write very smart and efficient code, and foolishly mess up your opsec.
Author: Josh Fruhlinger
Most of us don't think too much about all this: no one is trying to track us down, and if they did, the consequences wouldn't be too alarming. But there are those for whom the stakes are much higher. Would it be so bad if someone found out in your anonymous social media accounts the name of one of your big work projects or the topic of your thesis? Maybe if you were the director of the FBI. Does it matter if the selfies you upload to social media have location data embedded in them, or does your fitness tracker send anonymous data about your running route to its manufacturer? Maybe if you're a soldier on a secret military base or in a country where your government swears it didn't send troops.
Hackers and cybercriminals - both freelance and state-sponsored-typically exploit any glitches in opsec made by potential victims. This is why it is perhaps surprising that these attackers often fail to cover their own tracks on the network, whether due to arrogance, incompetence, or a combination of the two. You can think of these incidents as moral games in which the bad guys get retribution, but perhaps it's better to think of them as cautionary tales: you may not be spying for the Chinese government or running an online drug market, but you may fall into a trap. the same mistakes that these cybercriminals make are at your peril.
All roads lead to Dread Pirate Roberts
For several years in the early 2010s, Silk Road was a source of fascination for both computer security researchers and law enforcement agencies. An underground marketplace where users could exchange cryptocurrencies for drugs, weapons, and other illegal goods and services brought the idea of the darknet, as well as knowledge about Tor and Bitcoin, to the minds of ordinary people. It really seemed to herald a future in which anonymous online transactions would make the world more dangerous or exciting.
There was only one catch: it was less anonymous than it might seem. The founder and administrator of Silk Road, known as Dread Pirate Roberts, was soon identified as a resident of Texas in the United States named Ross Ulbricht, he was arrested - not because his anonymization technology did not work, but because, as it turned out, he voluntarily left his data on the Internet.
In 2011, a user with the ID altoid posted on a bitcoin forum about a new hidden service, which he called "anonymous amazon.com", with a link to the site at silkroad420.wordpress.com. A few months later, the same user wrote that he wanted to hire "an IT professional in the bitcoin community," and encouraged candidates to write to [email protected]. That Gmail address, in turn, was linked to a Google+ account that hosted content about Austrian economic theory, a set of libertarian ideas that was also the subject of posts on Silk Road by user Dread Pirate Roberts.
In early 2012, a StackOverflow user named Ross Ulbricht posted a request for help connecting to Tor using PHP, a technique that turned out to be ultimately used by Silk Road. Ulbricht changed this username less than a minute after posting the request, but the original one remained on the StackOverflow servers. Ulbricht was tracked down and arrested in late 2013, and is currently serving a life sentence in prison.
Trading platforms for bad ideas
Given that Ulbricht was a pioneer in the darknet market, as well as a prime example of opsec, you might think that subsequent merchants on the darknet took the hint of his fate and corrected their own actions. But some seemed determined to repeat his mistakes.
For example, in 2017, the US and Dutch authorities closed AlphaBay, another dark Web drug market, and arrested Alexander Kazes, its head. Law enforcement officials noted that the emails that AlphaBay users received when registering or resetting their password contained an email address in the headers. [email protected] (It is unclear which part of this email should have been more embarrassing for the alleged criminal mastermind," Pimp_Alex_91 "or " Pimp_Alex_91"). hotmail.com".) This email was related to some 2008 posts on an online technical forum that were sent by user Alpha02 (also the username of the AlphaBay administrator; reused usernames are a frequent glitch in opsec) and the real name Cazes.
Some individual sellers on AlphaBay were confused by similar errors. For example, Emil Babadzhov sold drugs on a website with an account linked to an email address [email protected] this led the FBI to a Coinbase account and Facebook profile with the cleverly inverted name "Lime Voidabab." Jose Robert Porras, meanwhile, was much more circumspect, but he made the mistake of posting a picture of his hand holding banned substances on his AlphaBay page. The quality of the photos was high enough for the police to see his fingerprints and match them with the prints they had.
Spies: like us?
Perhaps unsurprisingly, online drug dealers are not the most circumspect people in their behavior. But you'd think that state-sponsored hackers-presumably recruited for their cybersecurity skills and all too familiar with their victims ' opsec failures-would be less likely to make mistakes when it comes to their own identity. However, a number of recent high-profile examples have shown that this is not the case.
Take, for example, the Chinese military hacking group, quite intimidating, referred to in the US as APT1 (which means "advanced persistent threat"). Despite their reputation, this group made some of the same mistakes that we saw in our dark web examples, such as reusing user names on websites.
One of the APT1 members actually signed the source code he wrote for the group's hacking tools under the pseudonym "Ugly Gorilla". This handle, in turn, could have been associated with programming messages that were related to his real name, Wang Dong. Some of these sites themselves suffered from data leaks, with user information being published on the dark web, which allowed American researchers to connect Wang to a specific IP address, which, as it turned out, also used APT1.
In general, the group used predictable naming conventions for its users, code, and even passwords. Another way they were so consistent that they screwed up on their own: their work hours. Most of the time-related activity with the group took place during business hours in the Chinese capital, Beijing. This not only indicated their location, but also indicated that they were professionals, not activists or enthusiasts doing hacking in their spare time.
Giving away the Kingdom
APT1 noted that one of the ways to exploit opsec holes is to track the IP addresses of servers associated with the monitored group. This can tell the target a lot, and if you're lucky, you can conduct a small counter-hack when there's a piece of hacker infrastructure in sight.
This was the case in two recent counterintelligence scenarios. One of them involved the Iranian-backed hacker group APT35, also known as Charming Kitten. The group stored gigabytes of data that was extracted from US and Greek military systems on a cloud server, but the security settings for that server were not properly configured, so when security researchers tracked them down, they were able to find all sorts of files. Probably none of them was more important for understanding the motives and capabilities of APT35 than a series of screen recordings showing that members of the group were engaged in hacking activities. These appear to be demo videos, possibly for educational purposes, to show new members how the group works.
Meanwhile, another group identified by the researchers as a "state actor", although the state in question was not named, was discovered by communicating with the command and control server for a new piece of malware. Again, a good opsec will require any such server to be securely locked down and not contain any data that can be identified or traced.
This group obviously didn't feel the need for such hygiene. Data was stored on the server, including an extensive set of WhatsApp messages in which members of the group discussed how best to use their state - allocated budget-whether they should create their own malware that could exfiltrate data from Android or iOS devices or buy it.
They eventually decided to develop the malware in-house - and, using a delightfully self-contained twist, tested it on one of their phones, extracting WhatsApp messaging data in which they discussed malware development. This is a warning to IT professionals around the world that you can be smart enough to write very smart and efficient code, and foolishly mess up your opsec.
Author: Josh Fruhlinger
